Virtualization seems to have a lot of security benefits. Rootkits can lie to DomU but not Dom0, and of course snapshotting, migration etc is *really* nice. 

Dom0 in OpenBSD in a current Xen implementation (with HVM) would be a dream. I'd switch wholesale, and buy a CD for every server (as I do now). But doubtless there are a whole host of issues, kernel, SMP, bootloaders (I found OpenBSDs bootloader to be superior to grub in Ubuntu 7.10, it detects media bay HDs, and the installer is fast, efficient, and doesn't crap out on certain video cards/monitors), an LVM, iSCSI support -- and I have no code to contribute, so I will merely remain hopeful without expectation. 

I tried NetBSD Xen, but it seemed the worst of both worlds. Pf circa 3.7, hacks for grub, old version of Xen (2.x series IIRC) without support for the most interesting features, not the same level of security focus, etc. 

So I just picked the best tool for the job. 

I'm happier our webservers are now on OpenBSD with CARP failover.

--
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu

-----Original Message-----
From: Luca Corti <luca@leenoox.net>

Date: Tue, 23 Oct 2007 10:03:42 
To:ropers <ropers@gmail.com>
Cc:Jeff Quast <af.dingo@gmail.com>, OpenBSD-Misc <misc@openbsd.org>,       Nick Guenther <kousue@gmail.com>
Subject: Re: About Xen: maybe a reiterative question but ..


On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:
quoted text
> unavoidable. The question is, is that a worthwhile trade-off? Is this
> a reason not to support Xen? Or should the user be given that option
> regardless of the inherent limitations and consequences?

A proper Dom0 port of XEN to OpenBSD would solve this by removing the
linux dependency. However this would probably require a significant
effort on OpenBSD side and a XEN Hypervisor code audit.

Also from earlier discussion on the list it seems this kind of
virtualization may impact on security, which is in direct contrast with
OpenBSD goals. Can someone elaborate more on this?

ciao

Luca